Huawei Cyber Security White Paper (Dec. 2014)

In our White Paper, Making cyber security a part of a company’s DNA - A set of integrated processes, policies and standards, published in October 2013 we detailed our comprehensive approach to end-to-end cyber security processes. We stated that we had taken the opportunity to document the Top 100 things our customers talk to us about in relation to cyber security. In essence, that list includes some of the questions anyone may wish to ask their technology vendors when it comes to their approach to cyber security. This White Paper details that Top 100. It is a list that focuses on what buyers of technology should ask their technology vendors.

The purpose is to provide suggestions based on questions posed to Huawei and our assessment of a range of“standards” and best practice so that buyers can systematically analyse vendor cyber security capability when asking for or responding to tenders.

In detailing this Top 100 we have taken reference from many sources:

•First and foremost, we have listened intently to our customers. What are their issues and concerns? What is it that they worry about? What are their requirements, the requirements of their industry or their country?

• As a global leader in the ICT industry covering everything from large-scale telecommunications infrastructure to cloud computing, enterprise and consumer solutions, we possess a wealth of knowledge in our 150,000 employees, scientists and engineers -we have harnessed their knowledge and their passion to get it right.

•Finally, we have scanned over 1,200 "standards", articles or "best practice" to ensure some level of consistency.

We recognize that in many countries the legal and industry requirements relating to cyber security are increasing. Indeed it is not uncommon to see governments and regulators beginning to pass the accountability, and subsequent liability for failure, of cyber security onto national critical infrastructure providers and computer or IT service providers. More and more companies will be forced to detail the approach they take to cyber security and detail what analysis and assessment they undertook on their technology vendors and service providers.

The time for a service provider to say "I didn't know" or "I thought they were good and capable" is rapidly running out. The time where buyers of technology do not use consistent evaluation questions for all of their suppliers is coming to an end. In a globally intertwined world the threat can, and does, come from everywhere. This Top 100 gives you a starting point for beginning to mitigate your own risk when evaluating a supplier’s capability on cyber security, and crucially we believe the more demanding the buyer and the more consistent buyers are in asking for high quality security assurance, the more likely ICT vendors are to invest and to raise their security standards.

The bulk of the White Paper details the 100 items we believe, based on our research, you should consider when selecting technology vendors. They are broken down into sections covering: strategy governance and control; standards and processes; laws and regulations; human resources; research and development; verification; third-party supplier management; manufacturing; delivering services securely; issue, Defect and Vulnerability Resolution; and finally audit.

Each section details a number of requirements you should consider asking your technology vendors. We also provide some additional rationale why this might be important. Some of these questions may well help you in your own organizations in terms of what the internal auditors may look at, what your own governance might want to consider, and indeed what your Board and Audit Committee may ask.

Lastly, we make a number of pleas to the standards bodies:

• First of all, we should come together to reduce any overlap and duplication between the differing standards.

•Second, the various standards should be reconstructed so that they are built on consistent building blocks: for example, governance and control should be the same building block for all standards that require this, not a slightly different module in many standards.

•Third, we need to focus more on outcome measures where this is possible, rather than defining the input or task.

From our part we encourage as many companies, policy advisers, vendors and buyers as possible to consider this initial Top 100 as "version 1.0" and make suggestions on how it could be improved. In that spirit, we are delighted to announce that the EastWest Institute (EWI) has agreed to take this initial Top 100 and, using its extensive knowledge and networks, shepherd the evolution of updated and more tailored versions. We look forward to the Top 100 concept becoming an integral part of a buyer's approach and helping the ICT industry drive to greater improvements in product and service security design, development and deployment.